Containers and Labels

Trusted Extensions uses containers for labeling. Containers are also called zones. The global zone is an administrative
zone, and is not available to users. Non-global zones are called labeled
zones. Labeled zones are used by users. The global zone shares
some system files with users. When these files are visible in a labeled zone,
the label of these files is ADMIN_LOW.

Network communication is restricted by label. By default, zones cannot
communicate with each other because their labels are different. Therefore,
one zone cannot write into another zone.

However,
the administrator can configure specific zones to be able to read specific
directories from other zones. The other zones could be on the same host, or
on a remote system. For example, a user's home directory in a lower-level
zone can be mounted by using the automount service. The pathname convention
for such lower-level home mounts includes the zone name, as follows:

/zone/name-of-lower-level-zone/home/username

The following terminal window illustrates lower-level home directory
visibility. A user whose login label is Confidential: Internal Use
Only can view the contents of the Public zone
when the automount service is configured to make lower-level zones readable.
The textfileInfo.txt file has two versions. The Public zone version contains information that can be shared with the public.
The Confidential: Internal Use Only version contains information
that can be shared within the company only.